Krasimir Konov, a malware analyst at Sucuri, has reported a persistent crusade of malicious script injection into compromised WordPress websites. This campaign takes advantage of known vulnerabilities in WordPress themes and plugins and has affected a vast number of websites throughout the year.
The website security company said domains at the end of the redirect chain could be used to load ads, phishing pages, malware, or even trigger another set of redirects.
In some cases, unsuspecting users are taken to a fake redirect landing page that contains a fake CAPTCHA check, and clicking it displays unwanted advertisements that are disguised to seem to come from the operating system and not from a browser. Web navigator.
The campaign, a follow-up to another wave detected final month, is believed to have affected 322 websites so far, since May 9. The set of April attacks, in the meantime, has compromised more than 6,500 websites.
Once the website was compromised, the attackers attempted to automatically infect any .js files with jQuery in the names. They injected code that starts with “/* trackmyposs*/eval(String.fromCharCode…”
From the perspective of a site visitor, they will simply see the next page of malware before reaching the last destination. This page tricks unsuspecting users into subscribing to push notifications from the malicious site. Whether they click on the fake CAPTCHA, they will be signed up to get unwanted ads even when the site is not open, and the ads will appear to come from the operating system, not a browser.